Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Blazor Security - Razor Pages custom authentication/security

I'm trying to build a Blazor application that is hosted on the server and the starting point is inside a razor page. Something like that:

<component type="typeof(Main)" render-mode="ServerPrerendered" param-Data="@simple"/>

My questions are:

  • What happens if the razor page has an Authorized Attribute, is all blazor code than correctly secured with the authentication ?
  • Is it impossible to call the blazor app without the razor page circuit id ?
  • What if my razor page does have a custom authentication based on database values inside the OnGetAsync method - do I need to redo some of that stuff inside blazor or does the stateful component only gets rendered when the razor page works ?

  • What happens if I have an arbitrary if/else block that would have a button call, would that button call be guarded by the state ?

Something along the lines:

@if (HasPermission)
{
   <button type="button" onclick="MutateDatabase">MutateDatabase</button>
}
like image 598
Christian Schmitt Avatar asked Jan 17 '20 09:01

Christian Schmitt


People also ask

How do I add authentication to Blazor?

There is an option available to enable authentication for the Blazor app when you create the application. To enable authentication for Blazor server app, click on “Change” under “Authentication section and select “Individual User Accounts” option and then click on “Ok” button when you create a new Blazor server app.

Can you mix Blazor and razor?

Razor components can be integrated into Razor Pages and MVC apps in a hosted Blazor WebAssembly solution.

Is there a future for Blazor?

If you were considering a Windows desktop application (built on something like WPF), Blazor is a more future-forward choice. But if you're a business building modern, public web applications, there's very little chance you'll recommend a client start with Blazor today.

How do I allow anonymous users on a specific Blazor page?

To make a Blazor page accessible by all users, use [AllowAnonymous] with @attribute code in the _Imports. razor file in your app. By doing this users can access the secured page (here we secured the fetch data) without a login.


1 Answers

I assume you run Blazor Server (At the time of writing WASM is still in preview and will be quite different security-wise).

The documentataion states that Blazor does indeed integrate with ASP.NET Core identity:

Blazor Server apps include a built-in AuthenticationStateProvider service that obtains authentication state data from ASP.NET Core's HttpContext.User. This is how authentication state integrates with existing ASP.NET Core server-side authentication mechanisms.

Now, to your questions:

  1. Given your rendering mode, for Blazor to kick in, the Razor page has to render an initial state and mark the element where Blazor is to manage the view later on. The way AuthorizeAttribute works (I presume this is what you meant?) will block the page from rendering, so this should prevent Blazor from starting altogether - you will get redirected away to authenticate. Once your users are past that gate though - be aware that Blazor handles [Authorize] on child controls differently:

    Only use [Authorize] on @page components reached via the Blazor Router. Authorization is only performed as an aspect of routing and not for child components rendered within a page. To authorize the display of specific parts within a page, use AuthorizeView instead.

    (this doesn't seem to be your case, but I'd put it here just in case)

  2. I'm not entirely sure if I understand the statement here: circuit is the term MS uses to identify the slice of server where your application instance lives while it's displayed to a client. The connection is maintained via websockets and is generally scoped to a session (check out cookies and url parameters to your /_blazor endpoint). The user is however not guaranteed to have same circuit throughout application lifetime (due to connection issues or server load-balancer config) - and it is fine, you are expected to handle state persistance across circuits yourself.

  3. This case I believe will be the same as (1): you don't get Blazor to start until hosting Razor view is rendered.
  4. It's probably best to follow Blazor's security management page: you have a couple of options to ensure you're catering for authenticated users:

    1. Use <AuthorizeView> to control what gets rendered:

    <AuthorizeView>
    <Authorized>
        <button type="button" onclick="MutateDatabase">MutateDatabase</button>
    </Authorized>
    <NotAuthorized>
        <p>You're not signed in.</p>
    </NotAuthorized>
    </AuthorizeView>
    

    You can technically use an if (user.IsInRole()) statement, but that might not get updated when User AuthenticationState changes.

    If this is not sufficient, you can either pick up cascading AuthenticationState parameter or look at implementing your own AuthenticationStateProvider

like image 149
timur Avatar answered Oct 15 '22 23:10

timur